Reps Lieu and Langevin introduce bill to restore job; IT industry asks White House to reconsider.

Last month, White House Cybersecurity Coordinator Rob Joyce announced that he would be leaving his position, a role within the White House's National Security Council responsible for synchronizing the information security efforts of all federal agencies. The job also entailed setting policy for defensive and offensive network operations by the US military, Department of Homeland Security, and intelligence community. It's a big job, and it's one that Joyce had unique credentials for—he used to direct the Office of Tailored Access Operations (TAO), the National Security Agency's main network intrusion and hacking unit.

Joyce's departure would leave some big shoes to fill. But President Donald Trump has apparently decided that those shoes can easily be filled by NSC Director John Bolton all by himself. In an executive order yesterday, Trump eliminated the national cybersecurity coordinator position in a reorganization of the NSC, placing authority of all things cyber on Bolton and his NSC staffers.

Further Reading

That move has prompted concern from members of Congress, and from Democrats in particular, who have called for Trump to reverse the move.

Another brick in the firewall

"This is yet another example of the Trump Administration talking a big game on national security but taking steps that directly undermine our ability to combat emerging threats," Rep. Ted Lieu (D-Calif.) said in a statement after news of Trump's decision broke. "As a computer science major and Air Force veteran, I can tell you that eliminating the White House cybersecurity coordinator will endanger our economy, critical infrastructure, and possibly American lives."

Lieu and Congressman Jim Langevin (D-R.I.)—co-founder and co-chair of the Congressional Cybersecurity Caucus—submitted a bill this morning in the House that would permanently establish a position of director of cybersecurity policy at the White House. The bill, entitled the "Executive Cyberspace Coordination Act of 2018," would establish a National Office for Cyberspace within the Executive Office of the President, entirely separate from the National Security Council. “The decision to eliminate the top White House cyber policy role is outrageous, especially given that we’re facing more hostile threats from foreign adversaries than ever before," said Lieu.

While the Obama administration created the role of National Cybersecurity Coordinator in 2009—naming former George W. Bush administration cyber advisor and US CERT Chief Security Strategist Howard Schmidt to the job—the Bush administration laid the groundwork for such a role after the September 11, 2001 terrorist attacks by naming Richard Clarke as special advisor to the president on cybersecurity.

Clarke's role as the first "cyber czar" fell within the Office of Management and Budget; the "czar" job shifted to the Department of Homeland Security, with the formation of the National Cybersecurity Center and Rod Beckstrom serving as its first director. But while DHS took over oversight of cybersecurity for the civilian agencies of government, there was still no single point of guidance for coordinating policy and security operations across all the government's networks. Beckstrom resigned from the job because of a lack of funding—and a lack of cooperation from the NSA.

That problem led to the creation of the National Cybersecurity Coordinator role—one czar to rule all the cyber—as part of the National Security Council. Schmidt and his successor, Michael Daniel, took point in the administration for developing national and international cybersecurity strategy, and they oversaw the implementation of government information security policies. Under Daniel's watch, the Obama administration created a Cybersecurity National Action Plan (CNAP) that has provided much of the direction for agencies' information security strategy since. President Trump's cybersecurity executive order was largely cribbed from the CNAP.

Abort, retry, ignore

The Trump administration was initially slow to fill the role left by Daniel after he was discharged. Joyce wasn't named to the cybersecurity coordinator position until March of 2017, and the chaos within the NSC in the first months of the administration didn't make for much in the way of progress on policy. So the continuation of the course set by the Obama administration was welcomed by many in the information security field.

Further Reading

However, with NSC Director H.R. McMaster's departure and the elevation of Bolton to that position, in addition to the departure of Joyce, that comfort appears to be evaporating—especially since Bolton, who has no particular "cyber" expertise, is now moving to guide cyber policy himself.

The NSC currently has two "senior directors" for cybersecurity policy: Joshua Steinman and Grant Schneider. Steinman, a Navy Reserve officer who left the Defense Department to work at a cyber-security firm, was brought on as a cybersecurity director for NSC in January 2017, just days after the inauguration. Steinman had reportedly been positioning himself to fill Joyce's job.

Schneider has significant government IT security experience—he was deputy US chief information security officer (CISO) in the Obama administration and was elevated to the role of acting CISO after Trump's inauguration. He was added to the NSC team in August of last year to fill a "vacated senior director position," as the White House put it, while retaining the CISO role. (Trump has yet to name a Federal CISO, and he eliminated the White House CISO role last year.)

But neither NSC cyber director has the expertise Joyce brought to the position, and they will certainly not have the same level of authority.

Managing up

“We have had three excellent cybersecurity coordinators since the late Howard Schmidt originated the position," Rep. Langevin said in a statement. "It is an enormous step backwards to deemphasize the importance of this growing domain within the White House."

Similar concerns were voiced by representatives of the IT industry, including the Computing Technology Industry Association. CTIA Executive VP Elizabeth Hyman told NBC News, "A cohesive and comprehensive cybersecurity strategy across all agencies within the federal government can only be accomplished when there is one office specifically tasked with coordination."

Chris Painter, a former NSC cyber policy director from the Obama administration, tweeted his concern:

Creating a White House office dedicated to cyberspace, Lieu said, would ensure that there was consistent and coordinated policy across the entire government in the face of growing threats to national security. "A coordinated effort to keep our information systems safe is paramount if we want to counter the cyber threats posed by foes like Russia, Iran and China," he said. "To do anything less is a direct threat to national security.”

The bill authored by Lieu and Langevin, which is co-sponsored by a number of senior House Democrats (but no Republicans), would make the director of the National Office for Cyberspace a Senate-confirmed position, responsible for coordinating cybersecurity issues across the government, directing the defense of government networks in the event of an attack, and promoting civil liberties in "cyberspace." The bill is based largely on recommendations from the Center for Strategic and International Studies' Commission on Cybersecurity for the 44th Presidency, (which Langevin co-chaired from 2008 to 2010) that were never implemented.

Sean Gallagher
Sean is Ars Technica's IT and National Security Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland. Emailsean.gallagher@arstechnica.com//Twitter@thepacketrat

Imagine other things being run like the Trump government. Completely unqualified? No problem! Summer job working at McDonald's --> Aerospace engineer. Sunglasses booth at the mall --> Head of Cardiac surgery at Johns Hopkins. Why not?

Of all the things to get Trump-angry about, I'd put this fairly low. Bolton is a pretty terrible NSC leader thanks to his desire to bomb everything, but there's plenty of other impediments to agencies achieving competent cybersecurity than the org chart at the top of the executive branch.

You’re probably right, but getting rid of the position sends a message to the international community that the US gov’t doesn’t care very much about cyber security. It’s up to the free market to defend our nation I guess. It doesn’t exactly give me the warm fuzzies.

An effective security policy starts from the top down so it’s going to be much harder for the people who do care to implement an effective security program that encompasses all parts of government.

Every time I see a Trump headline like this, I check the address bar in my browser to see if I accidentally opened The Onion. Sadly, that never seems to be the case.

You are entering the vicinity of an area adjacent to a location. The kind of place where there might be a monster, or some kind of weird mirror. These are just examples; it could also be something much better. Prepare to enter: The Scary Door.

It would be easy enough to effectively decapitate the office by putting some oaf or lackey like Devin Nunes in charge, but no, you've got to flagrantly wave your disregard for your oath of office in my face.

Cyber security seams to be something that should fall under the national security council. So provided that the duties are preformed, what are the issues with this move?

Because it's a technically complicated matter that has historically been undervalued and needs dedicated leadership to influence policy making and champion the importance of cyber security in general. The significance of cyber security is only increasing, so why try to have a jack-of-all-trades in charge instead of splitting the responsibilities of two widely different areas?

Cyber security seams to be something that should fall under the national security council. So provided that the duties are preformed, what are the issues with this move?

Because even disregarding Bolton being an unqualified idiot, it's way too much for one person. It shouldn't even be a position in the NSC, it should be an entire government department. We're way behind the ball on cyber security, because most people don't understand how serious the threat is. There needs to be massive rethinking of priorities in all industries and all government agencies to deal with information security, and having it put on one guy who already has a fulltime job is not going to cut it.

Imagine other things being run like the Trump government. Completely unqualified? No problem! Summer job working at McDonald's --> Aerospace engineer. Sunglasses booth at the mall --> Head of Cardiac surgery at Johns Hopkins. Why not?

"IT is as cost center, we should eliminate the position and just get Joe from accounting to handle it."